Criminals combine a range of threat technologies, deployed in numerous stages to infect computers and networks. This blended approach increases the likelihood of success, the speed of contagion, and the severity of damage.
Read on this article to get a step by step overview for applying a layered cybersecurity strategy that can secure your clients at every stage of an attack, across every possible attack vector.
20 Critical Security Controls for Effective Cyber Defense
Creating a Security Plan that actually works
Educating the Client
The average loss from a cyber breach for a small business is nearly $80,000 , source from Better Business Bureau.”2017 State of Cybersecurity Among Small Businesses in North America.” (n.d.)
Today’s threats take advantage of multiple vectors to attack, from malicious email attachments to infected web ads to phishing sites. Criminals combine a range of threat technologies, deployed in numerous stages to infect computers and networks. This blended approach increases the likelihood of success, the speed of contagion, and the severity of damage.
The only way to keep your clients safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector. The following guide is designed to help MSPs develop an effective IT security program for their clients.
20 Critical Security Controls for Effective Cyber Defense
The following list of security controls shows what measures organizations need to implement to achieve an effective security posture. Don’t be overwhelmed; most security-focused organizations already have some of these in place, even if they are not fully automated or integrated.
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configuration for hardware and software on mobile devices, laptops, work stations, and servers
- Continuous vulnerability assessment and remediation
- Malware defenses
- Application software security
- Wireless device control
- Data recovery capability
- Security skills assessment and appropriate training to fill gaps
- Secure configuration for network devices such as firewalls, routers, and switches
- Limitation and control of network ports, protocols, and services
- Controlled use of administrative privileges
- Boundary defense
- Maintenance, monitoring, and analysis of audit logs
- Controlled access based on the “need to know”
- Account monitoring and control
- Data loss prevention
- Incident response and management
- Secure network engineering
- Penetration tests and Red Team exercises
Creating a Security Plan that actually works
Step 1: Assess
Assessing your clients’ risk allows you to jointly determine the proper security policies and procedures to put into place. To effectively assess risk, you need to examine threats, vulnerability, and assets.
Reviewing the following four profiles with your clients will help pinpoint the most frequent or likely threats they may experience.
- Malicious Insider: Someone associated with your client’s organization who wants to create harm, such as a disgruntled employee or contractor.
- Malicious Outsider: A hacker or someone involved in industrial espionage. These are the most frequent types of threats organizations face, and the most expensive.
- Accidental Insider: A client’s employee or contractor who is poorly trained in the security practices. Examples include an employee who uses his birthdate as a password, and shadow IT, in which a department (such as marketing) bypasses IT to set up their own Dropbox account with a shared password.
- Natural Causes: Companies with facilities on a flood plain, in a tornado zone, or in an area that is susceptible to wildfires or other natural disasters can be at risk for losing critical assets and should consider implementing robust data backup and recovery solutions..
The best cybersecurity won’t protect your clients if they don’t address existing vulnerabilities within their organizations. Run through this checklist with your clients to determine which areas need attention.
- Do you have a security plan in place? Who has access to it?
- Do you have a backup/business continuity plan?
- Does your organization have a Chief Information Security Officer (CISO) or someone who is dedicated to enforcing and maintaining security policies?
- Have you applied all applicable security patches?
- Does your company have a bring-your-own-device (BYOD) policy?
- What are your policies for data segregation and encryption?
- Do you give employees and contractors only enough access to do their jobs (i.e., least privilege)?
- Are your employees and contractors trained in security best practices?
- What security products do you already have (e.g., firewall, intrusion detection, encryption)?
- Does you have a password policy for all company-issued devices?
- What method do you use to dispose of sensitive data?
- Do you have account management and access controls in place?
- Where are your servers located? What access controls do they have?
- Does your organization have session controls in place?
- How often do you review your audit logs?
- Do you have malware protection? How often do you update it?
Many organizations are lax about maintaining an inventory of their assets, such a laptops, tablets, smartphones, and servers. Not having an accurate inventory can pose significant problems when an attack occurs. For example, a hospital that falls victim to ransomware may have trouble locating a backup server that contains critical protected health information. You can educate your clients on the importance of maintaining an accurate inventory that is categorized and rated according to their need for confidentiality, integrity, and availability.
Step 2: Document an Organization-wide Security Plan
Here are some baseline components for an organization-wide security plan.
- Security Policy Procedures, Guidelines and Standards: This includes management controls (risk assessment, review of security controls), operational controls (personnel security, physical security), and technical controls (identification and authentication, access controls).
- Security Training and Awareness: Security awareness training should be conducted on an ongoing basis. Email updates and other reminders can be sent throughout the year.
- Incident Handling: Central management and reporting of all incidents is important to understanding an organization’s security posture and to coordinate a response to a potential attack.
- Compliance Reviews and Enforcement: Compliance reviews consist of annual reviews of applicable security systems and documentation including security plans, risk assessment reports, contingency plans, etc.
Step 3: Establish a Security Management Structure and Clearly Assign Security
This takes into account the current IT team leadership. Organizations need to determine if the CIO will oversee the organization’s security, or if that responsibility falls on someone else, such as a CISO.
Step 4: Implement Effective Security-related Personnel Policies
Since internal incidents occur almost as frequently as external ones, companies should emphasize these practices across all of their departments.
- Require background checks on employees and contractors
- Ensure personnel have completed and signed nondisclosure agreements (NDAs)
- Enforce termination and transfer procedures including:
- Returning equipment, ID badges, access keys, etc.
- Terminating user IDs and passwords
- Identifying nondisclosure period effectiveness
- Enforce termination and transfer a Require employees to complete ongoing security awareness training, including phishing simulations
Monitor the Effectiveness of your Security Program
Your clients’ security programs need to be reviewed and updated regularly in order to keep pace with today’s ever-evolving cyberattack methods. You can counsel your clients to conduct regular scans of technical controls and system vulnerabilities to help stay up to date with new threats. Performing annual penetration tests can simulate the threat of someone trying to break into their organization’s network and determine the effectiveness of their response procedures.
“Today’s advanced malware is increasingly difficult to remove and even harder to detect” – Tyler Moffitt, Senior Threat Research Analyst, Webroot Inc.
Educating the Client
When discussing cybersecurity solutions with your clients, cover the following points to get the conversation started.
Cybercriminals have a variety of tools and resources at the disposal
Today’s cybercriminals deploy increasingly sophisticated cyberattacks including malware, phishing, and ransomware. Research from the 2019 Webroot Threat Report found that 93% of all malware seen in 2018 was unique to a single endpoint device, meaning most malware is polymorphic and previously unknown.
Since the ransomware attacks WannaCry and NotPetya effectively shut down global corporations, hospitals, and other institutions, ransomware attacks continue to target state and local government IT infrastructure.
Internal incidents can be even more damaging than external ones
While many companies protect themselves from external threats, internal incidents can be just as devastating, or more so. The increased mobility of an organization’s data, combined with BYOD initiatives, create ample opportunities for cybercriminals. According to the Ponemon report, 52 percent of incidents involved a criminal or otherwise malicious attack. However, 24 percent of incidents were caused by negligent employees, and another 24 percent were caused by system glitches, including both IT and business process failures.
Traditional antivirus protection isn’t enough to protect against multi-vector threats
Today’s antivirus solutions are often designed to monitor and block malware on single channels, and can’t address multi-vector attacks. They are also extremely resource-intensive. In light of the evolving threat landscape, most organizations need a cloud-based, multi-layered security defense. Such solutions leverage big data, machine learning, and collective threat analysis from customers and technology partners to identify infections as they occur, so they can be quickly neutralized.
In addition to pointing out key events within today’s threat landscape, you can also educate clients on how cyberattacks are deployed and spread. Most cyberattacks typically start with some sort of phishing attack against a user. Although random phishing attacks are relatively common, hackers often target a specific audience.
When a user falls for the phishing attack or clicks on a malicious site, the endpoint gets infected. Hackers then use these initial infections as launch points, getting deeper into the organization’s systems where they can access valuable data such as admin passwords, credit card information, and protected health information (which can be even more valuable to criminals than credit card numbers).
Once they have compromised these computers, attackers may also engage in other damaging activities such as distributed denial-of-service (DDoS). In essence, the attackers intentionally “paralyze” a computer network by flooding it with data sent simultaneously from many individual computers.
Helping your clients combine technology with an organizationwide effort to improve overall security posture and awareness goes a long way in preventing a security disaster. Get them started using these basic, yet effective, cybersecurity measures.
- Patching: A typical web application can experience hundreds, even thousands, of individual attacks each year because hackers are always scanning for vulnerabilities. Patching ensures your clients’ systems are up to date, which makes it more difficult for hackers to penetrate them.
- Vulnerability Management: Regularly scanning for vulnerabilities will determine areas within your clients’ systems that are outdated or require a patch. This simple, low-cost practice alone can drastically improve security.
- Log Monitoring: Log monitoring looks for anomalies in logs, such as privileged user abuse. This can help your clients identify threat patterns.
- Threat Detection: Threat detection includes your clients’ firewalls and intrusion detection systems (IDS). A firewall is the first step to monitoring and controlling network traffic based on your clients’ security rules. A good IDS can detect anything that may get through the firewall. It also uses advanced heuristics to identify traffic behavior patterns that could be malicious.
- Effective Backup Solutions: Backups are essential for remediating malicious activity and ensuring business continuity in the event of an attack. Having a regular backup solution also addresses concerns about whether your clients have ready access to the latest versions of their applications and data. This is critical for organizations that must meet certain compliance mandates, such as HIPAA or PCI-DSS.